A lot of websites and blogs out there uses WordPress at their platform, including me. It has tons of features, is quite easy to use and the security is not bad either as long as it is properly maintained. As for EC-Council, they must have missed something when it comes to security for their CMS which also uses WordPress.
As I have written before, anyone can get hacked, usually it is just a matter of time. It occurred to me today actually that I should tighten my own security measures a bit. The reason for this is that I get regular reports of script kiddies trying to brute force my username and password for this blog. Nothing new, it probably happens to most of us. My password is not found in any dictionary out there as far as I know, but anyway, given enough time, even a script kiddie can get lucky. So, by adding multi-factor authentication as a requirement for logging in to my blog, I have made it a lot harder to gain unauthorized access. It was simple to do, took less than 10 minutes and there was no cost except for the 10 minutes spent setting it up. Also, thanks to my hosting provider, I enabled SSL for this site which means my username and password is not submitted in clear text anymore. Yes of course, I changed the password for this blog over SSL to make sure I am the only one with knowledge about my password.
Being hacked is one thing, being hacked and having your website infecting visitors with one of the worst pieces of malware out there is even more troublesome. The thing that makes it beyond bad is the fact that EC-Council certifies people for having skills in IT security, myself included. Teaching people and not living as you teach and preach is perhaps the best way of losing everyones respect. In an industry that need more skilled professionals, actions taken by EC-Council is not what we want to see. Several people have argued about the fact that once EC-Council knew about the exploit kit, their site should have been removed from the network and reinstated once it was cleaned. Now it remained on the network for several days and by doing do, they might have helped spreading the exploit kit to unsuspecting visitors. To me, this behaviour is not OK, it simply is not. I can appreciate the shame and guilt that comes with being hacked, but acting responsibly could have at least restored some credibility on their behalf, instead they did the opposite.
Honestly, the CEH certification that I have is not worth much as it does not really prove much. However, the training I took was great. The material was OK, the teacher was excellent, an older british gentleman with a background from GCHQ. He knew his stuff very well, so I learned a lot that week, no doubt about that.
EC-Council has cleaned their website as of march 26th according to their announcement, but I find it quite interesting that they made the announcement on Facebook and Twitter. Should they at least not on their website acknowledge the fact and even more, informing visitors of what could have infected them and given them guidelines on how they could check if they became victim of this attack? Instead, they go with the silent treatment in hope that this incident will pass and fade over time.
I just wonder, does EC-Council really have a future after this and their DNS compromise in 2014? I do not know, but I will not keep my CEH certification once it expires. It did not stand for much before all this and now I feel it does not stand for anything good at all. So long EC-Council.
The blog post about EC-Council serving a exploit kit can be found at http://blog.fox-it.com/2016/03/24/website-of-security-certification-provider-spreading-ransomware/